Are you arranging a new contract with a supplier that involves personal data or a connection to the University network? If so, you need to undertake a supplier assessment.
There are two types of assessment – Standard and Enhanced. The total value of your contract (excluding VAT) determines which you should undertake.
- If the total value of your contract is under £10,000, complete the Standard Assessment.
- If the total value of your contract exceeds £10,000, complete the Enhanced Assessment.
Whichever assessment you undertake, you should ideally allow 4 weeks to complete the process, from starting the assessment process to signing the contract.
To carry out a Standard Assessment, the University requires the purchaser and supplier to complete a questionnaire. You’ll find a link to the questionnaire and guidance on completing the Standard assessment on our Toolkit resource.
The questionnaire is in two parts: the proposal, which allows you to provide detail of what you are buying, the benefits it brings, what data the supplier will have access to, and whether they will have a connection to the University network; and details on governance, assurance, access, security measures, personal data handling and incident response, to be provided by the supplier.
Once the completed form is returned by the supplier, it is assessed by the University’s Information Security and Governance teams to ensure sufficient security measures are in place. The proposal is concluded when a contract is signed to formalise the supplier’s obligations.
To carry out an Enhanced Assessment, the University requires you to use the Scottish Government’s Cyber Security Procurement Support Tool (CSPST). Both you and the supplier(s) will need to register to use this tool.
Once registered, you use the tool to generate a bespoke questionnaire for the supplier to complete. This is known as a Risk Profile Assessment (RPA). You’ll find guidance on registering for and using this tool on our Toolkit resource.
Ultimately you will send the supplier(s) a link to the RPA , requesting that they complete it within 10 working days. As with the Standard process, the response will be assessed by the University’s Information Security and Governance teams before the proposal is concluded and the contract signed.
Why do we need to carry out these assessments?
It is important for the University to understand and manage cyber security and data governance risks that arise from relationships with third-party suppliers. If you are sharing data with a supplier, or contracting with any third party, it is essential that an assessment of the type of information or data to be shared is undertaken. This allows the University to only enter into contracts with suppliers who can give assurances that they meet at least the minimum security requirements for the software or service you wish to procure.
Author: Information Governance Team